1
1
.
.
6
6
.
.
3
3
E
E
v
v
e
e
r
r
y
y
T
T
i
i
m
m
e
e
(
(
F
F
i
i
l
l
t
t
e
e
r
r
B
B
a
a
s
s
e
e
d
d
)
)
-
-
R
R
e
e
q
q
u
u
e
e
s
s
t
t
P
P
a
a
r
r
a
a
m
m
e
e
t
t
e
e
r
r
s
s
I
I
n
n
f
f
o
o
[
[
G
G
]
]
This tutorial shows how to use Filter to Implement Manual Authentication by
providing Credentials for every HTTP Request
as HTTP Request Parameters ?enteredUsername=myuser&enteredPassword=mypassword
so that Filter can store Authentication Object into Context/Session for every HTTP Request
before HTTP Request is forwarded to the Controller
Credentials will be compared with the hard coded User inside MyAuthenticationManager.
This Filter based approach is used when Session is disabled so that no JSESSIONID Cookie is saved in the Browser.
Session is disabled in WebSecurityConfig.java with sessionCreationPolicy(SessionCreationPolicy.STATELESS).
Application Schema [Results]
Spring Boot Starters
GROUP
DEPENDENCY
DESCRIPTION
Web
Spring Web
Enables Controller Annotations and Tomcat Server
Security
Spring Security
Enables Spring Security
MyFilter
http://localhost:8080/Hello?enteredUsername=myuser&enteredPassword=mypassword
hello()
MyController
Browser
Tomcat
WebSecurityConfig
P
P
r
r
o
o
c
c
e
e
d
d
u
u
r
r
e
e
Create Project: springboot_authentication_manual_filter (add Spring Boot Starters from the table)
Create Package: config (inside main package)
Create Class: MyAuthenticationManager.java (inside config package)
Create Class: MyFilter.java (inside config package)
Create Class: WebSecurityConfig.java (inside config package)
Create Package: controllers (inside main package)
Create Class: MyController.java (inside controllers package)
MyAuthenticationManager.java
package com.ivoronline.springboot_authentication_manual_filter.config;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class MyAuthenticationManager implements AuthenticationManager {
@Override
public Authentication authenticate(Authentication enteredAuthentication) {
//HARD CODED USER
String username = "myuser";
String password = "mypassword";
String role = "ROLE_USER";
//GET ENTERED CREDENTIALS
String enteredUsername = (String) enteredAuthentication.getPrincipal(); //USERNAME
String enteredPassword = (String) enteredAuthentication.getCredentials(); //PASSWORD
//AUTHENTICATE USER
if (!enteredUsername.equals(username)) { System.out.println("Username not found"); return null; }
if (!enteredPassword.equals(password)) { System.out.println("Incorrect Password"); return null; }
//CREATE AUTHORITIES
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority(role));
//CREATE VALIDATED AUTHENTICATION
Authentication validatedAuth = new UsernamePasswordAuthenticationToken(username,password,authorities);
//RETURN VALIDATES AUTHENTICATION
return validatedAuth;
}
}
MyFilter.java
package com.ivoronline.springboot_authentication_manual_filter.config;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
@Component
public class MyFilter implements Filter {
@Autowired MyAuthenticationManager myAuthenticationManager;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterchain)
throws IOException, ServletException {
//GET CREDENTIALS
String enteredUsername = request.getParameter("enteredUsername");
String enteredPassword = request.getParameter("enteredPassword");
//AUTHENTICATE
Authentication enteredAuth = new UsernamePasswordAuthenticationToken(enteredUsername, enteredPassword);
Authentication returnedAuth = myAuthenticationManager.authenticate(enteredAuth);
//STORE AUTHENTICATION INTO CONTEXT (SESSION)
SecurityContextHolder.getContext().setAuthentication(returnedAuth);
//FORWARD REQUEST
filterchain.doFilter(request, response);
}
}
WebSecurityConfig.java
package com.ivoronline.springboot_authentication_manual_filter.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired private MyFilter myFilter;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.authorizeRequests().antMatchers("/Authenticate").permitAll(); //Anonymous
httpSecurity.authorizeRequests().anyRequest().authenticated(); //Authenticated
httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); //No Session
httpSecurity.addFilterBefore(myFilter, UsernamePasswordAuthenticationFilter.class); //Add Filter
}
}
MyController.java
package com.ivoronline.springboot_authentication_manual_filter.controllers;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class MyController {
@ResponseBody
@RequestMapping("/Hello")
public String hello() {
return "Hello from Controller";
}
}